Netflow

The flow exporter configuration is done on the customer’s side and we just need to provide our NetFlow collector IP address and port to export their NetFlow traffic.

Enable/Disable NetFlow in the New UI

1. Log in the LogRhythm NDR’s new UI.

2. Click Operational from the sidebar menu and then click Feature Configuration.
   The Feature Configuration page appears where the user can select the check box to enable or disable the NetFlow traffic.
   Once the check box is enabled, the NetFlow IP and Port details can be obtained.

NetFlow in the New UI

1. Log in the LogRhythm NDR’s new UI.

2. Enter entry_origin:netflow* in the search bar and click the Search icon.
   A drop-down with the list of Activities appear.

3. Select an Activity from the drop-down list.
   The NetFlow entry origin connection events are displayed.

4. Click any Connection Event displayed in the table and go to the JSON section of that entry.
   Entry_origin is displayed as NetFlow.

NetFlow Connection Events with high Anomaly scores are displayed under ConnAnomalyEvent.

NetFlow in the Legacy UI

1. Log in the LogRhythm NDR’s legacy UI.

2. Click Hunt from the sidebar menu and then click Activity.

3. In the Hunt page search bar, enter entry_origin:netflow* to view the NetFlow entry origin connection events.

4. Click any Connection Event displayed in the table and go to the JSON section of that entry.
   Entry_origin is displayed as NetFlow. In addition to that, the user can also determine the source and destination of traffic, class of service, in and out bytes, and the causes of congestion.

NetFlow Connection Events with high Anomaly scores are displayed under ConnAnomalyEvent.